Fix potential bug in lookup logic
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2013 20:59:33 +0000 (20:59 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2013 20:59:33 +0000 (20:59 +0000)
https://bugs.webkit.org/show_bug.cgi?id=115522

Reviewed by Mark Hahnenberg.

Though not a problem in practise, it is technically possible
to inject an un-proxied global object into the scope chain
via the C API.  This change makes sure that the scope walk
in BytecodeGenerator actually limits itself to scopes that
are statically bindable.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::resolve):
* runtime/JSObject.h:
(JSObject):
(JSC):
(JSC::JSObject::isStaticScopeObject):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@149496 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/runtime/JSObject.h

index 5805710..21a5555 100644 (file)
@@ -1,3 +1,23 @@
+2013-05-02  Oliver Hunt  <oliver@apple.com>
+
+        Fix potential bug in lookup logic
+        https://bugs.webkit.org/show_bug.cgi?id=115522
+
+        Reviewed by Mark Hahnenberg.
+
+        Though not a problem in practise, it is technically possible
+        to inject an un-proxied global object into the scope chain
+        via the C API.  This change makes sure that the scope walk
+        in BytecodeGenerator actually limits itself to scopes that
+        are statically bindable.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::resolve):
+        * runtime/JSObject.h:
+        (JSObject):
+        (JSC):
+        (JSC::JSObject::isStaticScopeObject):
+
 2013-05-01  Roger Fong  <roger_fong@apple.com>
 
         Set Path in makefile for AppleWin.
index 7255a48..f74d52e 100644 (file)
@@ -1187,7 +1187,7 @@ ResolveResult BytecodeGenerator::resolve(const Identifier& property)
     unsigned flags = 0;
     for (; iter != end; ++iter, ++depth) {
         JSObject* currentScope = iter.get();
-        if (!currentScope->isVariableObject())
+        if (!currentScope->isStaticScopeObject())
             return ResolveResult::dynamicResolve();
 
         JSSymbolTableObject* currentVariableObject = jsCast<JSSymbolTableObject*>(currentScope);
index ad6a904..b151039 100644 (file)
@@ -571,6 +571,7 @@ public:
 
     bool isGlobalObject() const;
     bool isVariableObject() const;
+    bool isStaticScopeObject() const;
     bool isNameScopeObject() const;
     bool isActivationObject() const;
     bool isErrorInstance() const;
@@ -1081,6 +1082,14 @@ inline bool JSObject::isVariableObject() const
     return structure()->typeInfo().type() >= VariableObjectType;
 }
 
+
+inline bool JSObject::isStaticScopeObject() const
+{
+    JSType type = structure()->typeInfo().type();
+    return type == NameScopeObjectType || type == ActivationObjectType;
+}
+
+
 inline bool JSObject::isNameScopeObject() const
 {
     return structure()->typeInfo().type() == NameScopeObjectType;